Battle Best combo of FW, HIPS, SB & BB - Your views

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Hi

I have CFW with EAM in one tablet which covers FW, HIPS, SB and BB

Now, I have a 2nd tablet coming and I would like to try another combo. Below are some combos which need your views

1) Avast Internet Security (FW + BB + SB) + adroxideHIPS (BB + HIPS)

2) Xvirus Personal Firewall Free (FW) + Avast AV (BB) + reHIPS (HIPS + SB)

3) DefenseWall Firewall/HIPS (FW + HIPS + SB) + Avast AV (BB)

Notes :-

a) adroxideHIPS and reHIPS have no stable release yet
b) I believe the new Avast has BB which replaces its HIPS. Needs confirmation.
c) How's DefenseWall's compatibility with Win 10 64-bit?

Thanks
 
Last edited:

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
I see people say Avast is lighter than Windows Defender and I can also confirm through experience.
Avast uses less ram but for me at least no way it's lighter. That program eats disk IO like it's breakfast and cpu usage it's not the best i ever saw. As i said you don't need to have WD on you can disable it manually.
 
W

Wave

Avast uses less ram but for me at least no way it's lighter. That program eats disk IO like it's breakfast and cpu usage it's not the best i ever saw. As i said you don't need to have WD on you can disable it manually.
Avast can't be lighter because they have many more components and they also have the ability to intercept program's actions for the HIPS (I believe - if not they have a device driver with callbacks) and all of this increases the time (even if it's only milliseconds and not noticeable) for things to work properly. :)

They also have a larger database of course, but they probably use the pagefile anyway.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
therefore if they want to allow a program to add to start-up but auto-block modifications to the Master Boot Record (and they can have it set to alert them when this action was auto-blocked) then that is fine.

Alongside this, I am working towards dynamic heuristics (which will also be able to be disabled at the users decision) which will log the activity and intervene only when it's very certain that the program is indeed malicious, without needing any static databases to work with... And anti-executable.

Could be better than anything I have seen, especially an alert for actions that user has configured to occur. It's something I have been hoping to see from more programs. Remembering the settings choices is hard to do with so many, and this type of alert helps with this and keeps a user aware. I think I would like this type of alert to stand out or be different than the rest in some way.
 

erreale

Level 9
Verified
Content Creator
Malware Hunter
Well-known
Oct 22, 2016
409
So my final combo would be

Xvirus Personal Firewall Free (FW) + Avast AV (BB) + reHIPS (HIPS + SB) + adroxideHIPS (BB + HIPS) - 2 different HIPS here and the need to disable one BB

Thanks everyone for the help
So my final combo would be

Xvirus Personal Firewall Free (FW) + Avast AV (BB) + reHIPS (HIPS + SB) + adroxideHIPS (BB + HIPS) - 2 different HIPS here and the need to disable one BB

Thanks everyone for the help

2 Hips and 2 BB are really an overkill. I advise you to remove something.
 
W

Wave

2 Hips and 2 BB are really an overkill. I advise you to remove something.
Not only this, but depending on how the products work, they may not even be compatible with each other. For example, if one product uses the same method as another product to intercept the actions then they may end up overriding each other, preventing one of the products from functioning properly.

adroxideHIPS (BB + HIPS)
Anyway, AdroxideHIPS is more of a mixed set, therefore the Behavior Blocker/HIPS is mixed into one component; some of the functionality which can be enabled fits the description of HIPS more than BB (e.g. preventing host file modifications, preventing AutoRun modifications, etc.), whereas other features fit the description of a BB more than HIPS (e.g. preventing process injection attacks, preventing suspicious file modifications (part of anti-ransomware), preventing master boot record modifications, etc.). Depending on the behavior which is being intercepted will depend on the alert style: if the behavior fits the description of HIPS more than BB then the user will be notified of "suspicious" activity and the alert can be an amber color to represent this, whereas if the behavior is more dangerous and fits the description of a BB than HIPS, the alert can be red to symbolize danger.

Could be better than anything I have seen, especially an alert for actions that user has configured to occur. It's something I have been hoping to see from more programs. Remembering the settings choices is hard to do with so many, and this type of alert helps with this and keeps a user aware. I think I would like this type of alert to stand out or be different than the rest in some way.
Thank you, hopefully it will be better than anything you've seen before. I will have a database of Trusted Publishers/genuinely clean software and this can be applied to the white-list, and eventually a cloud network for program lookup queries - this will be beneficial to reduce the alerts the user will be getting when they use new software, because nothing is more annoying than having to go through a ton of alerts for software that is clean... But of course I can make it so the user can disable the auto-white-list, and the rules for any program can be changed at any time from the white-list tab so it's not a problem.

As for the dynamic heuristics, it's purpose isn't to sit there and ask you what you want to do on a certain action; it's purpose is to monitor how the program is operating and only interfere when behavior which can be linked to a specific threat type is identified (such as a worm, rootkit, trojan downloader, phishing, etc.). I guess the dynamic heuristics can also be known as being part of the "behavior blocker" component, however it's all really mixed together as a whole.

The dynamic heuristics hasn't had as much development time as the mixed BB/HIPS functionality, therefore much more work is needed for it... But once it's complete the results should be pretty neat. If it doesn't work well then I can simply drop it out of the program and introduce it at a later date after release, not a problem.

Thanks for taking an interest, if you have any more questions then feel free to shoot me a PM as I don't want to hijack this thread any more haha. :)
 
Last edited by a moderator:

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Not only this, but depending on how the products work, they may not even be compatible with each other. For example, if one product uses the same method as another product to intercept the actions then they may end up overriding each other, preventing one of the products from functioning properly.


Anyway, AdroxideHIPS is more of a mixed set, therefore the Behavior Blocker/HIPS is mixed into one component; some of the functionality which can be enabled fits the description of HIPS more than BB (e.g. preventing host file modifications, preventing AutoRun modifications, etc.), whereas other features fit the description of a BB more than HIPS (e.g. preventing process injection attacks, preventing suspicious file modifications (part of anti-ransomware), preventing master boot record modifications, etc.). Depending on the behavior which is being intercepted will depend on the alert style: if the behavior fits the description of HIPS more than BB then the user will be notified of "suspicious" activity and the alert can be an amber color to represent this, whereas if the behavior is more dangerous and fits the description of a BB than HIPS, the alert can be red to symbolize danger.


Thank you, hopefully it will be better than anything you've seen before. I will have a database of Trusted Publishers/genuinely clean software and this can be applied to the white-list, and eventually a cloud network for program lookup queries - this will be beneficial to reduce the alerts the user will be getting when they use new software, because nothing is more annoying than having to go through a ton of alerts for software that is clean... But of course I can make it so the user can disable the auto-white-list, and the rules for any program can be changed at any time from the white-list tab so it's not a problem.

As for the dynamic heuristics, it's purpose isn't to sit there and ask you what you want to do on a certain action; it's purpose is to monitor how the program is operating and only interfere when behavior which can be linked to a specific threat type is identified (such as a worm, rootkit, trojan downloader, phishing, etc.). I guess the dynamic heuristics can also be known as being part of the "behavior blocker" component, however it's all really mixed together as a whole.

The dynamic heuristics hasn't had as much development time as the mixed BB/HIPS functionality, therefore much more work is needed for it... But once it's complete the results should be pretty neat. If it doesn't work well then I can simply drop it out of the program and introduce it at a later date after release, not a problem.

Thanks for taking an interest, if you have any more questions then feel free to shoot me a PM as I don't want to hijack this thread any more haha. :)
Hi

I'll pm you for some questions

Thanks
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Hi everybody

Very sorry that I misread Avast's SB. In fact, Avast's SB does auto sandboxing (which what I'm looking for) + manual sandboxing

What does the Avast Sandbox do?

For Avast product line

Avast AV free - BB
Avast AV Pro - BB + SB
Avast IS - FW + BB + SB

Notes :-

1) I'm assuming the new Avast has BB which replaces its HIPS otherwise I'll just take Avast IS if it comes with BB + HIPS (together with FW + SB)
2) Its SB feature is still around in the new Avast paid products

My requirement still stands i.e. have a FW + BB + HIPS + SB

In view of this new found fact my choices have been changed. I prefer to use Avast as my AV which I have good experience with previously

a) Xvirus Personal Firewall (FW) + Avast AV (BB) + reHIPS (HIPS + SB)
b) Avast IS (FW + BB + SB) + adroxideHIPS (HIPS + BB) – to disable one BB or leave it if no compatibility issue
c) PrivateFirewall (FW + HIPS) + Avast AV Pro (BB + SB)

Kindly comment. Thanks
 
Last edited:
5

509322

Hi everybody

Very sorry that I misread Avast's SB. In fact, Avast's SB does auto sandboxing (which what I'm looking for) + manual sandboxing

What does the Avast Sandbox do?

For Avast product line

Avast AV free - BB
Avast AV Pro - BB + SB
Avast IS - FW + BB + SB

Note :-

I'm assuming the new Avast has BB which replaces its HIPS otherwise I'll just take Avast IS if it comes with BB + HIPS (together with FW + SB)

My requirement still stands i.e. have a FW + BB + HIPS + SB

In view of this new found fact my choices have been changed. I prefer to use Avast as my AV which I have good experience with previously

a) Xvirus Personal Firewall (FW) + Avast AV (BB) + reHIPS (HIPS + SB)
b) Avast IS (FW + BB + SB) + adroxideHIPS (HIPS + BB) – to disable one BB or leave it if no compatibility issue
c) PrivateFirewall (FW + HIPS) + Avast AV Pro (BB + SB)

Any comments? Thanks

PrivateFirewall is no longer being developed. The developer only made it possible to install and run on W10 within the past year or so, but it has not received any updates or vulnerability fixes since 2013.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
If you must use Private Firewall, install it and run it through the Matousec tests to see what gets through. Then run the Comodo Leak Test and see where it fails. Where PF fails the tests, boost security with other programs to match what is missing with something. Matousec test suite here (ssts 64 test):

Downloads - www.matousec.com

Then add somebody's Trust list to a PF export html and reimport the rules. Make it a good list. Follow up with the a-v/BB/SB you want from someplace.

It would be some work to put this together, but it is necessary if you would like to use PF. I'd like to find the time to configure a security setup around PF and then test some malware...just to see if it's possible to combine PF with any other programs, such as maybe NVT ERP, etc., to achieve full Comodo firewall type protection. I hate protection overlap, and that might be a problem.

You could probably work with the program if you can do all the above. Still PF HIPs get no help from the program such as a way to define "protected file", or define "protected COMs", or define "protected registry keys"...no options there at all. All this is in Comodo HIPs. Optionally, you could turn off HIPs and just use the net wall. It will give you pop ups and some logging elements.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Just setup a Windows VM and go wild testing out new software.

Honestly you have zero chance against a well funded highly skilled adversary. No amount of security software will save you.

My advice would to be buy a 1 AV/Malware suite with exploit protection. Keep up to date on OS/App patches. Use a vpn. Use Dnscrypt. And don't download from unknown sources and never click on mail links.

Not much more you can do. Just prey to the internet god's and don't piss of a nation state.
 
W

Wave

never click on mail links
Well obviously you have to click on links from e-mails sometimes, like when you needed to verify your account to use this forum or forget your password on a website (which handles the recovery via e-mail). However, I think you meant to never click on links or accepr attachments from an e-mail where the sender is not a verified trusted sender, so it's important to watch out for spoof attempts.

Apart from that, I agree with the tips, pretty nice :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top